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The general conditions are discussed which quantum state purification protocols have 
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suitably chosen Calderbank-Shor-Steane code to the outcome of such steps. As a main result 
a necessary and a sufficient condition on asymptotic correctability are presented, which relate 
this problem to the magnitude of a characteristic exponent governing the relation between 
bit and phase errors under the purification steps. These conditions allow a straightforward 
determination of maximum tolerable bit error rates of quantum key distribution protocols 
T^j" ■ whose security analysis can be reduced to the purification of Bell-diagonal states. 
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The quantum cryptographic protocol developed by Bennett and Brassard (BB84) Q] demon- 
strates in an impressive way how the key distribution problem of classical cryptography can be 
solved by means of quantum physics. Later Shor and Preskill P| demonstrated that the security 
of this quantum key distribution protocol is guaranteed at least up to bit error rates of approx- 
imately 11.4%. Their proof is based on two main ideas. Firstly, it exploits an equivalence be- 
tween the originally proposed BB84 protocol as a prepare-and-measure protocol and an associated 
entanglement-based protocol. Secondly, it reduces the security issue to the capability of purifying 
Bell-diagonal qubit-pair states with the help of one-way classical communication and Calderbank- 
Shor-Steane (CSS) codes 0,0]. Gottesman and Lo [j| extended Shor and Preskill's approach to 
entanglement purification protocols which involve bit- and phase-error correcting sequences based 
on classical two-way communication followed by a CSS-based entanglement purification step. This 
way they were able to raise the maximum tolerable bit error rate of the BB84 protocol to 18.9 %. 



Later on Chau 



extended this approach thereby achieving a maximum tolerable bit error rate of 
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20 %. Motivated by these investigations of Gottesman and Lo in this work general entanglement 
purification protocols are analyzed which imply the security of any quantum key distribution pro- 
tocol whose security analysis can be reduced to the purification of Bell-diagonal states. The BB84 
protocol and the highly symmetric six-state protocol Q] are well-known examples of such quantum 
key distribution protocols. The general entanglement purification protocols considered are sup- 
posed to map Bell-diagonal states to Bell-diagonal states until the Shannon bound guarantees a 
successful completion of the entanglement purification on the basis of an appropriate CSS encoding 
and classical one-way communication. A special example thereof is the entanglement purification 
protocol introduced by Gottesman and Lo, which, in addition, is compatible with a reduction of 
an entanglement-based quantum key distribution protocol to an associated prepare-and-measure 
scheme. As a main result a necessary and a sufficient condition (main theorem) on asymptotic 
correct ability of Bell-diagonal qubit-pair states are presented relating the success of such a general 
entanglement purification protocol to the magnitude of a characteristic exponent, which governs 
the scaling between bit and phase errors. This latter characteristic exponent can be determined 
in a straightforward way and allows the determination of maximum tolerable bit error rates of the 
Bell-diagonal states involved. Applying this general result to entanglement purification protocols 
of the Gottesman-Lo type, for example, this criterion implies that even without any phase-error 
correcting steps of the Gottesman-Lo type secret keys can be generated by the BB84 and six- 
state quantum cryptographic protocols up to the already known bit error rates of 1/5 = 20% and 
1/2 - 1/(2 V§) ~ 27.6393 % and that in the absence of phase -error correction no higher bit error 
rates are tolerable. Furthermore, numerical evidence is provided that also arbitrary additional 
sequences of phase-error correcting steps cannot improve on these particular bounds. 

This manuscript is organized as follows: In order to put the general entanglement purification 
protocols considered in our main theorem into perspective we first of all summarize basic aspects 
of the entanglement purification protocol of Gottesman and Lo (5J and generalize their original 
proposal to arbitrary numbers n of qubit pairs. Correspondingly, basic notions together with the 
generalized bit-error (B n ) and phase-error (P n ) correcting Gottesman-Lo-type steps are introduced 
in section 2. In section 3 basic asymptotic properties of these purification steps are analyzed for 
large numbers of qubit pairs. In particular, the exponents characterizing the scaling of the bit 
and phase errors under B n and P n steps are determined. Our main theorem concerning the 
asymptotic correctability of entanglement purification of Bell-diagonal states and its relation to 
the exponents characterizing bit and phase errors is stated and proved in section 4. Finally, based on 
this main theorem in section 5 the asymptotic correctability of the B n and P n steps characterizing 
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Gottesman-Lo-type purification protocols are investigated in more detail. It is shown that bit-error 
correcting B n steps alone are already able to guarantee security of the BB84 protocol and the six- 
state protocol up to maximum bit error rates of magnitude 1/5 and 1/2 — l/(2\/5), respectively. 
Furthermore, numerical evidence is provided that even arbitrary sequences of phase-error correcting 
P n steps cannot improve on these bounds. Based on this evidence these numbers constitute the 
maximum possible error rates which are tolerable in the BB84 protocol and in the six-state protocol 
provided error correction and privacy amplification are based on arbitrary sequences of B n and 
P n steps of the Gottesman-Lo type. For the sake of a clearer presentation of the main ideas some 
proofs of theorems stated in these sections are postponed to the appendices. A more detailed 
elaboration of some statements can be found in lal. 



II. PURIFICATION PROTOCOLS OF THE GOTTESMAN-LO TYPE 

In this section basic properties of bit-error (B n ) and phase-error (P n ) correction steps are 
discussed which generalize the bit- and phase-error correcting steps Z?gl and Pgl proposed by 
Gottesman and Lo [|| to arbitrary numbers n of qubit pairs. These steps are capable of reducing 
the bit and phase errors of Bell-diagonal qubit-pair states and can be used as building blocks of 
entanglement purification protocols which are based on classical two-way communication. In view 
of the Gottesman-Lo theorem |5j entanglement purification protocols consisting of these B n and 
P n steps can be reduced to prepare-and-measure schemes. 

Gottesman and Lo proved that it is sufficient for guaranteeing security of the BB84 and the 
six-state protocol to be able to purify classical mixtures of the four (pure) Bell states 

|<&±) :=(1A/2)[|00)±|11)] 5 |*±> :=(1A/2)[|01)±|10)]. (1) 

If necessary, the following notation will be used 9]: (0,0) := |<I> + ), (1,0) := |$~), (0,1) := 

(1, 1) := |^ _ ). Here, the numbers are to be understood as elements of the binary field F2. Mixtures 

of Bell states are denoted by 

(a,b,c,d) := a|$ + )($ + | + &|$ _ )($ _ | + c|4> + )(^ + | (2) 

with a, b, c, d > and a + b + c + d = 1. The set of all such Bell-diagonal states is denoted by 5kh . 
A Bell-diagonal state is entangled, if and only if one of the four coefficients is larger than 1/2 [9j. 
In our discussion a Bell-diagonal state will be called entangled with respect to |$ + ), if a > 1/2. 
The set of states with a > 1/2 and with a > 1/2 are denoted by S v and by <S V , respectively. 
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In the subsequent discussion we choose the state |<J? + ) as the reference state for entanglement 
purification; therefore a = F will be called fidelity (with respect to |$ + ))- Furthermore, the 
parameters b, c, and d are the pure phase error rate, the pure bit error rate and the combined 
bit-phase error rate. Correspondingly, the parameters B = c + d and P = b + d are the total bit 
and phase error rates. 

For the purposes of entanglement purification it is sufficient to assume that Alice and Bob share 
an infinite number of qubit pairs, all described by the same density operator p = (a, b, c, d) £ S v 

as mappings on the set 5bd- A particular step of 
the purification protocols considered takes a fixed number n of qubit pairs, all prepared in the same 
state p = (a,b,c,d), as input and yields with some non- vanishing probability, which may depend 
upon p, a final qubit pair in the state p' = (a', b' , c', d') or no qubit pair at all. 



A. B n steps 

A B n step which involves n € N qubit pairs reduces the bit error rate, but simultaneously it 
also increases the phase error rate of the original quantum state. It is defined by the following 
sequence of steps: 

1. Alice and Bob choose n qubit pairs QP\, ■ ■ ■ , QP n - 

2. Alice and Bob apply bilateral BXOR operations of the form BXOR(QPi, QPk) for all qubit 
pairs k € {2, . . . , n} (n — 1 operations). 

3. Alice and Bob measure the bit parities of all pairs from QP2 to QP n and continue using 
QPi, if and only if all parities are +1 (same bit values for Alices and Bobs measurement). 
The pairs QP2, • • • , QP n are discarded. 

Here, the BXOR operation on Bell-diagonal states is defined by P, ||| 

BXOR(QPi,QP 2 ) : (h,mi) (^,m 2 ) ■-> (h®h,mi) {h,mi ©m 2 ). (3) 

Thus, for a given set of n pure Bell pairs (/j,mj), according to step (ii) the BXOR operations are 
equivalent to the transformation 

(g)" =i (li,mi) h+ (0" =1 Zi,mi) ® ®fc =2 (^' m i ® m k) ■ ( 4 ) 

According to step (iii) the pair QP\ is kept for the next step, if m\ © m& = holds for all k £ 
{2, . . . ,n}. Otherwise this qubit pair is discarded. Therefore, we obtain the relations B\ = ids bd , 
B2 = Bql, B n B m = B nm , and (-Bgl)™ = B 2 n. 
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Note that Alice and Bob could perform the measurements of the pairs QP2, ■ ■ ■ ,QP n imme- 
diately after the respective BXOR operation. If the pair QP\ is discarded immediately after the 
first false parity, the average number of discarded qubits reduces, which results in a higher key 
generation rate. 

In I A H it is shown that with respect to the first qubit pair QP\ a B n step can be identified with 
a mapping B n : 5bd — ► 5bd with B n : (a, b, c, d) 1— ► (a', b', c' , d!) and with 



(5) 



[(a + b) n + (a - b) n ] /2N, b' = [(a + b) n - (a - b) n ] /2N, 
[(c + d) n + (c - d) n ] /2N, d' = [(c + d) n - (c - d) n ] /2N. 

The value N = [(a + b) n + (c + <i) n ] is the survival probability of the first pair. 



B. P„ steps 

In analogy to the -Bql step also the B n step can be adapted to correct phase errors However, 
according to the Gottesman-Lo theorem such a step has the disadvantage that it cannot be reduced 
to some prepare-and-measure protocol. Therefore, Gottesman and Lo originally developed an 
alternative phase-error correction step which is not as efficient, but which can be reduced to a 
prepare-and-measure protocol. The P n step considered in the following is a generalization of this 
step originally developed by Gottesman and Lo J5j]. For any n £ No, we define a i"2n+i step as 
follows: 

1. Alice and Bob choose 2n + 1 qubit pairs QP±, ■ ■ ■ , QP2n+i- 

2. Alice and Bob perform Hadamard transformations on all pairs. 

3. Alice and Bob perform BXOR operations of the form BXOR((5-Pi, QPk) for all qubit pairs 
with k £ {2, . . . ,2n + 1} (2n operations). 

4. Alice and Bob measure the bit parities of all pairs from QP2 to QP n ; the number of pairs 
with bit parity —1 (different outcomes for Alice and Bob) is denoted as m G {0, . . . ,2n}. 

5. Alice and Bob perform a Hadamard transformation on QP\. 

6. If m > n + 1, Bob performs the transformation H ® a z on the first pair. Otherwise, Bob 
leaves the first pair unchanged. The pairs QP2, • • • , QP2n+i are discarded. 
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If in step (v) Alice and Bob apply the Hadamard transformation to all qubit pairs, they can 
exchange steps (iv) and (v), if they measure the phase parity l\ © Ik instead of the bit parity for 
k 6 {2, . . . , 2n + 1}. In this latter case the transformation yields 

2n+l , /. ^ TN 2n+l \ fx— „2n+l 

1=1 



(/i,mi) ^ (^l,(±). =1 m V ® [QS) fe=2 Ol®^' m *)J- ( 6 ) 



According to Bob's final transformation in step (vi) the new phase of the first qubit pair QPi, as 
characterized by the parameter li, is fixed by the majority of the 2n + 1 phases of all qubit pairs 
involved. 

Similar to the case of the B n step, we obtain P\ = ids bd and P3 = Pql- But contrary to the 
case of B n steps, a sequence P n P m is always worse than a single P nm step. This originates from 
the fact that the bit errors introduced by P n Pm and P nm sequences are always equal, whereas the 
majority of majorities is not necessarily the total majority of phases. Note that the use of a P n 
step is equivalent to the application of the [n, l,n] code in jf|. 

Calculating the evolution resulting from the application of a P n step is much more complicated 
than the resulting evolution of B n steps as given in Ipjl. However, it turns out that the evolution 
of bit and phase errors B and P can be determined easily (compare with (|15|)). 



C. Remarks 



Note that the bit error rates after applying B n or P n steps depend only on the previous bit 
error rate (but not on the phase error rate); similarly, the new phase error rate after using a 
P n step depends only on the previous phase error rate. Using B n steps, the exact coefficients 
determine the evolution of the phase error rate; considering p £ S v and n — > 00, the evolution is 
mostly determined by the fidelity a and the pure phase error rate b. 

In particular, when using B n and P n steps only, Alice and Bob do not gain any advantage, if 
they measure bit errors after performing some of these steps. This seems to be obvious considering 
the fact that they can be reduced to prepare-and-measure-schemes, where phase errors cannot have 
any influence on the protocol. 



III. ASYMPTOTIC EVOLUTION OF B n AND P n STEPS 

In this section the evolution of Bell-diagonal qubit-pair states is investigated, if they are sub- 
jected to B n and P n steps. Here, the asymptotic evolution for large values of n is of particular 
interest. In the subsequent discussion this asymptotic evolution is characterized by exponents r 
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and rp for B n and P n steps, respectively, which determine the relative scaling between bit and 
phase errors. As demonstrated in detail in section llVl the values of these characteristic exponents 
are directly related to the correctability of Bell-diagonal quantum states. 



A. Asymptotic evolution of B n steps 

Let us consider the evolution of the quantum state p = (a, b, c, d) G S v of a single qubit pair 
using B n steps for large values of n. For the sake of simplicity it is assumed that b > and 
c+d > 0, because the remaining cases are trivial. For this purpose we define first of all some useful 
variables: 

a + b . a — b . c — d 

x -=— 3> Ai:=— -, A 2 :=— -. 7 

c+d c+d c+d 

After having performed a B n step the resulting quantum state is given by 

(a, b\ c, d') = - x n + y n + 5 n ,^ - y n - 5 n , x n - 5 n , 5 n ^j := B n (a, b, c, d) , (8) 

where x n and y n denote the resulting bit error rate (B) and inverse phase error rate (1/2 — P). The 
quantity 5 n characterizes a correlation between bit and phase errors. The evolution © immediately 
implies (the symbol = means asymptotically equal) 

K 1 (9) 

2y n = (A^ + A%)/(l + i n ) =A^/x n . 

For particular values of the parameters a, b, c, d it is possible to define a characteristic exponent 
r£l with the defining property linin^oo x n /(2y n ) r = 1. In view of the elementary relation 

2y n ~ A^ + A% ~ A™ " \ Ai J ' 
this defining property implies that the term in the bracket must be unity, i. e. 

a+b 

c+d 



(10) 



1 Jn A, 



-1 j n a+b 



ln^±|' 

a—b 



(11) 



lnx 

Therefore, using the conservation of probability, i. e. c + d = 1 — a — b, one may establish relations 
between values of the characteristic parameter r and particular Bell-diagonal states. Two examples 
of such correlations are: 

r > 1 44> a > 1/2 (entanglement w.r.t. |$ + )), 

r > 2 f(a, b) := a 2 + b 2 - (a + b)/2 > (12) 
& (a - 1/4) 2 + (b- 1/4) 2 > (1/2V2) 2 = 1/8. 
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FIG. 1: Regions for r > 2 (white) and r < 2 (black) for fidelity a and pure phase error rate b; grey: no 
physical states. 

The left hand side of the latter inequality can be interpreted geometrically as a cylinder centered 
around the chaotic state p = j J (compare with figure The function / is easier to evaluate than 
the exponent r and will be used in some calculations. In the main theorem of the next chapter it 
will be demonstrated that purification succeeds in the regime of characteristic exponents r > 2. 

B. Asymptotic evolution of P n steps 

The evaluation of the asymptotic evolution of P n steps turns out to be much more complicated 
than the one of B n steps. For this purpose the following lemma is useful: 

Lemma 1 (Properties of the binomial distribution) 

Let p G [1/2; 1], n £ N be odd; in these cases the relation 

(n-l)/2 



k=0 ^ ' 



c(n,p)z n (13) 



is valid with z := 2y/p(l — p), where the image of the function c(n,p) is given by the interval [0; 1] 
and c(n,p) decreases at most sub- exponentially for n — ► oo and for any p G [1/2; 1]. 

Proof: A proof of this lemma is given in IB II 

Analogous to ((HI) the asymptotic evolution of the state (a, b, c, d) of a qubit pair under a P n 
step is given by 

(a',b',c',d') = u n + v n + e n ,u n - e n ,^- v n - e n ,e n j := P n (a,b,c,d) . (14) 
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Here, u n is the phase error rate and v n is the inverse bit error rate; the value e n specifies the 
correlation between bit and phase errors. 

Using these definitions, the calculation of u n and v n is straightforward, whereas the calculation 
of the correlation e n is rather involved. For odd values of n € N one obtains the relations 

un = Et" 1)/2 (J) (a + cf(b + dY~ k Lem < m [4(a + c)(b + d)] n/ \ (lg) 
2u„ = (a + 6 - c - d) n = F n . 



Using lemma ^ we may also write u n = c(n,a + c) z 71 for z = 2-y/ (a + c)(b + d). Similar to the 
construction for B n steps, one can define an exponent rp, which characterizes the asymptotic 
evolution of P n in the sense that z/F rp = 1. This yields the relation 



La 2 _ \a.2y/{a + c){b + d) _ 1 In 4 (a + c)(b + d) 
rp ~ LnF ~ ln(a + b-c-d) ~ 2 In (a + 6 - c - d) ( ^ 



for the characteristic exponent rp. In view of the relation 



u n c(n,a + c)z n / z , 

-c(n,o + c) — - . (17) 



the quotient u n /(2v n ) rp converges to +oo for all exponents larger than rp because c(n, a + c) < 1 
decreases at most sub-exponentially. Furthermore, the bounds z, F < 1 imply the inequalities (S 
and P denote bit and phase error rate): 

r P > 1 ^ (1/2 - £) 2 + (1/2 - Pf > (1/2) 2 = 1/4, 
r P > 2 <^ (1 - 2B) A - 4P(1 - P) > 0. 



C. Remarks 



Note that the P n step defines a mapping P n : (B,P) \— > (B',P'), if one ignores the correlation 
between bit and phase errors. In particular, a possible statistical independence of bit and phase 
errors, i. e. the validity of the relation (b + d)(c + d) — d = 0, is invariant under P n steps but not 
under B n steps. The following lemma is of some interest: 

Lemma 2 (Separability using P n steps) 

Let p = (a, b, c, d) £ S v , n £ N be odd and p' = (a 1 , b 1 , c', d') := P n {p); this implies 

1. p' is entangled, if and only if a' > 1/2 holds. 

2. If bit and phase error rate in p are statistically independent, then for sufficiently large n the 
state p' is separable, if and only ifrp(p) < 1 holds. 
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Proof: For the proof of the first statement, it is sufficient to show that b',c',d' < 1/2. From (|15|) 
follows the inequality B' = c' + d! = (1 - F n )/2 < 1/2 and because of F > one gets c', d! < 1/2. 
P' = b' + d' decreases monotonically in n, which implies the assertion. 

Thus, for the proof of the second inequality one concentrates on the value of a'. Statis- 
tical independence of bit and phase errors implies a' = 1 — P' — B' + B'P'; using the no- 



tation c(n) := c(n,a + c) yields a' = 1 - c(n)z n - (l/2-F n /2) + c(n)z n (1/2 - F n /2) and 



i 7 ™ < c(n)z n is sufficient. Because c(n) decreases at most sub-exponentially, F < z, i.e. rp < 1 is 
sufficient. On the contrary, if rp > 1, i. e. F > z, the assertion follows by a similar reasoning. 

IV. THE CRITERION FOR ASYMPTOTIC CORRECTABILITY (MAIN THEOREM) 

In this section the question of asymptotic correctability of Bell-diagonal quantum states is 
addressed from a more general point of view. In particular, our main theorem is stated and proved 
which relates the asymptotic correctability of a large class of general entanglement purification 
protocols to the characteristic exponents determining the scaling of their resulting bit and phase 
errors. The general entanglement purification protocols of this class are supposed to consist of 
arbitrary sequences of basic steps which involve classical one- and/or two communication between 
Alice and Bob until the Shannon bound is reached. Subsequently these steps are supposed to be 
completed by a CSS-based purification protocol, which involves classical one-way communication. 
This main theorem will be specialized to sequences of B n and P n steps in the next section. 

Let us start by defining the notion of asymptotic correctability: 

Definition 1 (Asymptotic correctability) 

Let p = (a,b,c,d) £ S v and (S n ) n& fq be a sequence of possible steps in an entanglement purification 
protocol. The state p is called asymptotically S'n-correctable under this sequence, if there exists an 
N G N, such that for all n £ N, n > N the inequality AsymCSS[5„(p)] := 1 - H(B) - H(P) > 
holds, where B and P denote bit and phase error rate of the resulting state S n (p) after the use of 
that step. 

Here, H(^) := — £ log2 ^ — (1 — ^) log2 (1 — ^) is the binary Shannon entropy and the function 
AsymCSS denotes the Shannon bound, i. e. the minimum rate of an asymmetric CSS code j^, 
|^. If AsymCSS(p) is positive the state p can be corrected by some CSS code, i.e. by one-way 
classical communication. Important special cases are (5 n ) rag N € {(B n ) n& fq, (-P2n+i)neN }- Note 
that asymptotic correctability implies correctability, but not vice versa, in general. 




Therefore, for a resulting separable state for n — > oo 
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Using the notation of (jHJ) for the state of a qubit pair after application of an arbitrary S n step, 
i. e. B — * x n and P —* 1/2 — y n , one obtains 

1 



AsymCSS(x n , 1/2 - y n ) = -H{x n ) + (In 2) 



2y n artanh(2y n ) + ^ ln(l - <iy 2 n ) 



(19) 



Because of the symmetry of AsymCSS, this is also valid for the case, where P — > x n and B — > 
1/2 — y n . Dropping positive terms in the (partial) Taylor series expansion of (|19l) one obtains the 
lower bound 

AsymCSS(x„, 1/2 - y n ) > A(x n , y n ) := (In 2) _1 [x n In x n - x n + 2y£] (20) 

for < x n < 1/2 and < y n < 1/2. 

Obviously, one can define an asymptotic S n - correction purification protocol in the following 
way: Alice and Bob determine the smallest n £ N, such that S n (p) can be corrected by some 
asymmetric CSS code, apply S n , and use an appropriate CSS code to obtain a purified final state. 
In the case of B n and P n steps smaller values of n usually result in higher key generation rates, 
both in the two-way part of the protocol and in the CSS part. 

Finally, it should be noted that the condition AsymCSS(/)) > is only sufficient, but not 
necessary for the existence of asymmetric CSS codes which are capable of purifying a quantum 
state. If this condition is violated, there may also exist applicable CSS codes, but this cannot be 
guaranteed in general. 

After these introductory remarks let us state and prove now the following main theorem: 
Theorem 1 (Main theorem) 

Let p = (a,b,c,d) £ S v and (S' n ) ng N be a sequence of possible steps in an entanglement purification 
protocol. Furthermore, let 

(x n ,y n ) = (B,l/2-P) or (x n , y n ) = {P, 1/2 — B) 

after application of an S n step, and let (S' n ) ng N be a sequence of such steps, such that 
lim n ^ 

oo %n — holds. Finally, let 

r sup := sup{r £ R\ sup{x n /y r n \ n £ N} < oo} . (21) 

Then, p is asymptotically S n - correctable, if r sup > 2 holds. Furthermore, if p is asymptotically 
S n - correctable, then r sup > 2. 
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Proof: First part (r sup > 2 is sufficient): If r sup > 2, one can find an exponent r > 2 and 
a value c > 0, such that x n < cy r n for all n G N. The function A(x, y) is used to minorize 
AsymCSS(x, 1/2 — y). As a consequence the worst case with the maximum possible error rates is 
given by x n = cy r n . This implies 

(In 2 • A)(x n ,y n ) = cy r n ln«) - cy^ + 2y 2 > 

^ fy^ 2 [(lnc+ 1) + rlny n ] + 1 > 0. 

Because x n tends to zero in the limit n —* oo, also y n does so. Therefore, the first term of the latter 
inequality becomes arbitrarily small due to lim n ^ QO y^ -2 lny n = 0. Thus, we obtain the required 
result, namely that AsymCSS(x n , 1/2 — y n ) > for large n. 

Second part (r sup > 2 is necessary): The condition r sup < 2 implies that sup {x n /y 2 | n G N} = 
oo, i. e. there exists at least a subsequence, for which c := inf jx n /y 2 | n G N} > holds. From the 
Shannon bound it is obvious, that for guaranteeing correctability, x n should be as small and y n as 
large as possible. Therefore, in view of the conditions of the theorem the best case is given by a 
subsequence with x n = cy\. Using relation (|T§)) and the elementary properties 

(d/dy) [2y artanh(2y) + ln(l - 4y 2 )/2] = 2 artanh(2y), 

(d/dy)[2artanh(2y)] = 4/(4 - y 2 ), 

(d/dy) [- In 2 H(cy 2 )] = 2cy In (cy 2 /(l - cy 2 )) , 

(d 2 /dy 2 ) [- In 2 H(cy 2 )] = 2c [in (cy 2 /(l - cy 2 )) - 2/(cy 2 - 1)] , (23) 

one therefore notices 

lim AsymCSS(cy 2 , 1/2 - y n ) = 0, 



lim AsymCSS(cy 2 ,l/2 - y) \ y=Vn = 0, 
n— >oo dy 



d_ 

^ AsymCSS(cy 2 , 1/2 - y) \ y=Vn < for y n -» 0. (24) 

Thus, the state is not asymptotically ^^-correctable and the assertion is proved. 
In particular, the special case (5„)„ 6N G {(B n ) neN , (P 2 n+i)neN„} yields 

Corollary 1 (Asymptotic B n - and Pn-correctability) 

For p G S v the following statements are true: 

In 2+5 

p is asymptotically B n correctable r{p) = — ^ > 2, 

a — & 

p is asymptotically P n correctable rp(p) = ^"nja+b-c-rf) ^ ^' 



(25) 
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Proof: This assertion follows immediately from theorem ^ an d the basic properties of B n and 
P n steps discussed in sections IIII Al and IIIIBI The equivalence in the case of asymptotic B n - 
correct ability results from the fact that for r = 2 the equation lim^^oo x n jy\ = 4 holds (see 
section UlI Af) : this implies inf \x n jy^\n G N} > and the assertion follows as in the proof of 
theorem ^ 

V. ASYMPTOTIC CORRECTABILITY USING B n AND P n STEPS 

In this section it is analyzed for which qubit-pair states (a, b, c, d) a purification based on B n 
and P n steps and asymmetric CSS codes fulfilling the Shannon bound is possible according to the 
main theorem of the previous section. It is shown that bit-error correcting B n steps alone are 
already able to guarantee security of the BB84 protocol and the six-state protocol up to maximum 
bit error rates of magnitudes 1/5 and 1/2 — 1/(2\/5), respectively. Furthermore, numerical evidence 
is provided that even arbitrary sequences of phase-error correcting P n steps cannot improve on 
these bounds. Based on this evidence the maximum possible bit error rates which are tolerable 
in the BB84 protocol and in the six-state protocol are given by 1/5 and 1/2 - 1/(2^5), provided 
error correction and privacy amplification are based on arbitrary sequences of B n and P n steps 
and the use of CSS codes. 

A. Reduction to the use of the exponent r 

So far we have concentrated on three possibilities for purifying a given Bell-diagonal quan- 
tum state. A quantum cryptographic protocol can be made secure, if it produces states with 
AsymCSS(p) > 0, r(p) = £j§ > 2 or r P (p) = > 2 and possibly in the case 

a — b 

rp{p) = 2. As can be seen from the following theorem these conditions are not independent: 

Theorem 2 (Reduction to the characteristic exponent r) 

Let p = (a, b, c, d) £ S v . Then, 

AsymCSS(p) > => r P (p) > 1 r(p) > 2. (26) 

In particular, rp(p) > 2 => r(p) > 2. 

Proof: A detailed proof is given in IB 21 

It should be noted that for any state p £ 5bd, the value of r{p) is invariant with respect to B n 
steps, because from © one obtains immediately the relation r[i? n ( / o)] = r(p). 
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B. Limits for the maximum tolerable error rate 

Theorem shows that it is sufficient to consider the characteristic exponent r for determining 
the correct ability using B n and P n steps and asymmetric CSS codes (using the Shannon bound). 
According to this theorem the only possibility to purify states with r < 2 is to apply P n steps, 
which may possibly yield states with r > 2. If this is not possible, the asymptotic i? n -correction 
is already optimal with respect to the maximum tolerable error rate in our model. The following 
conjecture indeed suggests that asymptotic B n correction is optimal: 

Conjecture 1 (Optimality of the asymptotic B n correction) 

Let p = (a, b, c, d) G S v with r(p) < 2. Then, for all odd n G N 

r[P„(p)]<2. (27) 

The subsequent lemmata show that for a proof of this conjecture it is sufficient to prove it on a 
certain subset of states (compare with figure^). But this turns out to be difficult and an analytical 
proof is not known. However, as demonstrated below numerical results (compare with figure [2J) 
and plausibility arguments are in favour of the validity of this conjecture. 

For the formulation of these lemmata it is convenient to parameterize the set S v by 

Z(a, b; z) := (a, b, z{l - a - b), (1 - z)(l - a - b)) G (28) 

with a > 1/2, b >0, a + b < 1 and z £ [0; 1]. It is useful to visualize these lemmata with the help 
of figure ^ The function / introduced in ()12|) will be used frequently. 

Lemma 3 (Concerning the diagonals in figure ^) 

Let a,b,z,z' ,5 G [0; 1] be chosen in such a way that Z(a,b\z),Z{a — 5,b + S;z') £ S v . Then, 
r [Z(a, b;z)\<2=>r [Z(a -5,b + 5; z')] < 2. 

Proof: By (|12|) . r < 2 <S> f(a,b) < 0; thus, z and z' are unnecessary and one can calculate 
f(a — 5,b + 5) = f(a,b) + 25 (— a + b + 5). The first expression is negative by assumption, the 
factor 25 is non-negative. Using Z(a — 5,b + 5;z') £ <S V , one finds a — 5 > 1/2 and therefore 
5 < a — 1/2 < a — b, which implies the assertion. 

Lemma 4 (First reduction to states with d = 0) 

Let a,b G [0; 1] be chosen in such a way that Z[a, b; 1) G S w and f(a, b) < 0, and let n G N be odd 
and z G [0;1]. Then, r[P n (Z(a,b;l))] < 2 => r[P n (Z(a,b; z))] < 2. 
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Proof: Let p = Z(a,b;z) £ S v . The P n step can be viewed as a mapping from old to new bit 
and phase error rates, i. e. P n : (B, P) i— ► (B', P'). In view of B = c + d and B' = d + d' the bit 
error rates do not depend on z. In figure ^ a variation of z results in a variation on the diagonal 
a' + b' = const. By the evolution © one notes that the fidelity a' becomes larger, if the initial 
phase error rate gets small (proof in IB 3 a|) , Lemma |3] now implies the assertion. 
Because of this, it is sufficient to consider the best case, i. e. z = 1 or d = 0. 

Lemma 5 (Second reduction of the parameter space) 

Let a,b,e £ [0; 1] be chosen in such a way that Z(a, b; 1), Z(a — e, b + e; 1) G S v , and let n £ N 6e 
odd. Then, r[P n (Z(a,b;l))] < 2 => r[P„(Z(a - e,b + e; 1))] < 2. 

Proof: The bit error rate B = c + d before and thus after a P„, step does not depend on e. Using 
lemma 01 in the best case the fidelity a' is maximal after performing a P n step; as shown in the 
IB 3 bl this is the case for e = 0. 

Because of the lemmata 0] and El the assertion from conjecture ^ has to be shown only on a 
certain subset, which can be parameterized by the function K : [— 1; +1] — > <S V with 

K{t) := Z (l/4+ (2^2)" 1 cos(^/4), 1/4 + (2 V / 2) _1 sin(7rt/4); l) . (29) 

This subset corresponds to the border of the black circle of figure ^ Figure |^1 demonstrates 
graphically the validity of the claim for the first few values of n. The curves of figure [3 even seem 
to imply that r tends to zero for large values of n. By Lemma |^1 it also appears that the states 
become separable and thus non-correctable for large values of n. 

Provided conjecture ^ is correct the following conjecture can be proven: 



16 



Conjecture 2 (Correctability by using B n and P n steps) 

For p = (a, b, c, d) G S v the following statements are equivalent: 

1. r(p) > 2 (or equivalent f(a,b) > by lilty) ): 

2. p is asymptotically B n - correctable; 

3. There exists a sequence of B n and P n steps, such that after performing this sequence the 
resulting state p' fulfills the inequality AsymCSS(p') > 0. 

Proof: The equivalence of the first two statements was shown in corollary ^ ° n page W2\ that the 
second statement implies the third one is trivial, and that the third one implies the first follows 
from theorem [21 and conjecture ^ via contraposition. 



C. Values of the maximum tolerable error rate 



Using the criterion derived in the previous sections, one can calculate the maximum tolerable 
error rate for the BB84 and the six-state protocol assuming the model considered there. In case 
of the six-state protocol b = c = d holds |5J]; thus, one only has to consider the so-called Werner 
states. Using the notation 

W(F) : = (F, ^T"> HT~' HT~) ' BB84(F) := (F, ±f, ^, 0) , (30) 

one calculates for the six-state protocol 

r[W(F)]>2 <^ F > (5 + 3\/5) /20 0.585410 
O B < 1/2 - 1/(2^/5) ps 27.6393%. 



For the BB84 protocol one can in principle use similar reasoning as the one by Gottesman-Lo 
but the statement that the BB84(i ? ) state is the worst case for fixed bit error rate B can be proved 
much easier now. As before B = P = b + d = c + d and thus b = c hold; using a suitable parameter 
5 £ [0; B], one can rewrite the state as 

p=(l-2B + S,B-6,B-S,S). (32) 

By (H2J) it follows that f{p) = 25 2 + (2 - 6B)5 + (1/2 - 7B/2 + 5B 2 ) and derivation with respect 
to 5 yields 4<5 2 + (2 — 6B) > 0, if B < 33.3 %. Therefore, / increases monotonically with respect to 
5 and the worst case possible is 5 = 0, i. e. the BB84 state defined above. In this case, it follows 

r[BB84(F)] > 2 O F > 3/5 = 0.600000 
^ B < 1/5 = 20.0000%. 

Q 

These maximum tolerable error rates coincide exactly with the ones given by Chau |6j|. 
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VI. CONCLUSIONS 



We analyzed general entanglement purification protocols which imply the security of any quan- 
tum key distribution protocol whose security analysis can be reduced to the purification of Bell- 
diagonal states. These entanglement purification protocols are supposed to consist of arbitrary 
sequences of basic steps involving classical one- and/or two-way communication between Alice and 
Bob until the Shannon bound guarantees a successful completion of the entanglement purification 
on the basis of an appropriate CSS encoding and classical one-way communication. As a main 
result a necessary and a sufficient condition on asymptotic correctability of Bell-diagonal qubit- 
pair states were presented relating the success of such general entanglement purification protocol 
to the magnitude of a characteristic exponent, which governs the scaling between bit and phase 
errors. Applying this theorem to entanglement purification protocols of the Gottesman-Lo type we 
demonstrated that in the cases of the BB84 and six-state quantum cryptographic protocols secret 
keys can be generated even without any phase-error correcting steps of the Gottesman-Lo type 
up to the already known bit error rates of 1/5 = 20% and 1/2 - 1/(2^5) » 27.6393%. Further- 
more, numerical evidence was provided that also the inclusion of additional arbitrary sequences of 
phase-error correcting steps cannot improve on these particular bounds. 
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On two possibly different states p = (a, b, c, d) £ 5bd and a = (p, q, r, s) G 5bd a B<i step is 
applied. After measuring and discarding the second qubit pair, the reduced density matrix of the 
first pair reads 
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APPENDIX A: EVOLUTION USING B n AND P n STEPS 



1. Evolution using B n steps 




(Al) 



where N = (a + b)(p + q) + (c + d){r + s) is the normalization constant. 
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The proof of formulae © will be done by induction similar to the one in In a B n step 
the i?2 step is used (n — 1) times, where p is the first pair and a is a new pair every time, i. e. 
p = Bk [(a, b, c, d)] and <r = (a, 6, c, d). One notes, that the case n = 1 is trivial and n = 2 is the 
starting point of the induction. One now assumes that formulae © are valid for a fixed n G N. 
By using (|A1|) one calculates for (a', 6', c', d') := B n+ % [(a, 6, c, d)] 

a' = [(a + 6) n+1 + (a - 6) n+1 ] /2iV' 6' = [(a + 6) n+1 - (a - 6) n+1 ] /2N' 
c' = [( c + d) n+1 + (c - d) n+1 ] /2JV' d' = [(c + d) n+1 - (c - d) n+1 ] /2N' 

where N' = [(a + b) n+1 + (c + d) n+1 ] is the new normalization constant. 



2. Evolution using P„ steps 

The evolution of a state by applying P n steps is more complicated than the one by applying 
B n steps. An analytical expression can be given by listing all possible combinations of Bell states, 
calculating the resulting Bell state systematically (by phase majority and bit parity) and adding 
them up according to their probability; for P n [(a, b, c, d)] it follows: 

M(A, B,C,D) {a A b B c c d D , a B b A c D d c , a c b D c A d B ,a D b c c B d A ) . (A3) 

{A,B,C,D)£X n 

Here, M(A, B,C,D) := (A + B + C + D)\/[A\ B\ C\ D\) is a multinomial coefficient and X n := 
{(A, B, C, D) G No | A + B + C + D = n,A + C > B + D,A + B odd}. 



APPENDIX B: REMARKS TO SOME THEOREMS 
1. Proof of lemma ^ 

The idea of lemma ^ (page [SJ) is to determine the exponential evolution of f n (p) and to absorb 
it into the value of z n . Therefore, the appropriate value is z(p) = lim^^co v// n (p)- In particular, 
z(l/2) = 1 and z(l) = 0. For the remaining cases p G (1/2; 1), one uses only the last term in the 
expression for /2n+i(p), which leads to 

/2n + l(p) = £ ( 2 \ + ') P k (1 " P? n+l ~ k > l ) P n (1 " PT +1 . (Bl) 

fc=0 ^ ' \ n J 

The Stirling formula 13<] n n e~ n \[2jm <n\< n n e~ n \/2irn e 1 / 12 ™ yields 

n + 1 ^2n + l^ (2n)! (^VV§§ 2n e^™ 



2n + l \ n J (n!) 2 ~ n 2n e~ 2n 2im e x l &n ■s/ttu 
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p 




FIG. 3: Left figure: minimum fidelity for r > 2, rp > 1 and rp > 2 (down to up); right figure: Lines for 
AsymCSS(B, P) = and r P = 1 



Thus, ( 2n n +1 ) > 2 2n+1 /i(n) with fc(n) = e" 1 / 6n (l - ^PT))/V™ and therefore 

i i 

/un+lCp) 3 ^ > 2/1(71)^-^^+* (1 -p) 2 "HTT "Z^ 2^(1 - p). 



(B3) 



By this z(p) > 2y/p(l — p) was proved. The inequality z(p) < 2^Jp(l — p) is a special case of the 



Chernoff bound (cf. 



12j, p. 154, (3.5)). 



2. Proof of theorem [5] 

a. On the first implication (AsymCSS( j o) > rp > I) 

For the proof of the first implication, one notes that AsymCSS and rp can be considered as 
functions of B and P and that AsymCSS (Si, Pi) > AsymCSS(S 2 , P 2 ) holds, if < B x < B 2 < 1/2 
and < Pi < P 2 < 1/2. Because of (fTHD it has to be shown that AsymCSS(P,P) < is true on 
the circular arc defined by rp = 1 (see figureEJ), i.e. that 

h(t) := 1 - H [(cos t) /2] - H [(sin t) /2] < (B4) 

is valid for i E [0;7r/2]; by symmetry of the function, it is sufficient to show the property for 
t £ [0;7r/4]. Using h(0) = 0, it is further sufficient to show that h'(t) < for t G [0;7r/4], i.e. 

(In 4 • h!) {t) = cos t [In sin t - ln(2 - sin t)] - sin t [in cos t - In (2 - cos f )] < 0. (B5) 

Rewriting this inequality yields sin i[ln(2— cost)— In cost] < cost [ln(2— sint) — In sin t] and because 
t £ [0;7r/4] implies cost > sint > 0, it further only remains to show that 

h' B {t) := ln(2 - cost) - In cost - ln(2 - sint) + In sint < (B6) 
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is valid. By h" B (t) = (sin t/{2 - cost)) + tan t + (cos t/(2 - sin t)) + cot t, h B (t) > for t G [0;tt/4], 
and thus, /t^ increases monotonically. Finally, h' B (ir/4) = 0, which implies the assertion. 

b. On the second implication (rp > 1 => r > 2) 

The proof of the second implication can also be visualized by figure 01 Plotting the minimum 
fidelity a £ [1/2; 1], for which r > 2 is true, as a function of 6 £ [0; 1/2] results in the function 

f r=2 (b) := 1/4 + ^l/8-(6-l/4) 2 . (B7) 

Because rp depends upon the error rates B and P, it is not directly possible, to plot the minimum 
fidelity a as a function of b. Assuming the best case (i. e. the smallest minimum fidelity possible), 
one assumes the minimum phase error rate and therefore d = 0. In this case the limiting function 
is 

f rp=1 (b) :=l-b- (1/2 -^bO^Vj). (B8) 

For proving f rp =i > fr=2 (see also figure 0J), let A(b) := f rp= i(b) — / r=2 (6). It has to be shown 
that A(6) > for b G [0; 1/2]. This function is continuous and by the intermediate value theorem, 
it is sufficient to show that b\ = and b 2 = 1/2 are the only points where it is zero and that there 
exists a point b where A(6) > 0. Repeated squaring of the equation A(6) = yields a necessary 
condition for any zero of A: 

56 4 - 6b 3 + 9b 2 /4 - 6/4 = 56(6 - l/5)(6 - 1/2) 2 = 0. (B9) 

The set of zeroes of the last equation is {0, 1/5, 1/2}. Because of A(0) = A(l/2) = and A(l/5) = 
1/10 > 0, A is non-negative on the whole interval [0; 1/2]. 

3. Remarks to conjecture ^ 

Some details regarding lemmata0]and[5]are given. Before continuing, note the following lemma 
(the proof is trivial): 

Lemma 6 (Monotonicity of the binomial distribution) 

Let n G No and r £ {0, ...,n}. The function f : [0; 1] — > [0;1], which is defined by f(x) := 
Sfc=o (fc) xk {l ~ x) n ~ k decreases monotonically in x. 
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a. On the first reduction 

It remains to show, that a' is maximal, if z = 1. By (|A3|) it follows using p = Z(a,b;z) 
and K := C + D and (Aj-B.C.D) G X n that a' = Y,a,b m ( A >B,C + D, 0)a A 6 B (l - a - 
5)C+D Y^d^o {d)^' ^ 1 - z )°- For a ' bem § maximal ! it is sufficient that for all possible A,B,K 
each term of the inner sum becomes maximal. For fixed A and B the sum over D is of such a form, 
that lemma El can be applied, i. e. a' becomes maximal when (1 — z) = or z = 1 hold. 

b. On the second reduction 

The proof is similar to the previous one. Using K := A+B yields a' = J2 C {q)c c J2b=*o (b) ( a ~ 
e) (b + e) B . As before the maximality of the inner sum is sufficient for the maximality of a'. If 
one divides this by (a + b) K , the assertion follows by lemma H3 
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